VYPR

Owncloud

by OwnCloud

Source repositories

CVEs (135)

  • CVE-2016-7419MedSep 17, 2016
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.

  • CVE-2016-9462MedMar 28, 2017
    risk 0.28cvss 4.3epss 0.02

    Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only…

  • CVE-2016-9461MedMar 28, 2017
    risk 0.28cvss 4.3epss 0.02

    Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a…

  • CVE-2017-5866MedMar 3, 2017
    risk 0.28cvss 4.3epss 0.01

    The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors.

  • CVE-2016-1501MedJan 8, 2016
    risk 0.28cvss 4.3epss 0.02

    ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.

  • CVE-2017-5865LowMar 3, 2017
    risk 0.24cvss 3.7epss 0.01

    The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number…

  • CVE-2016-1500LowJan 8, 2016
    risk 0.20cvss 3.1epss 0.01

    ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting…

  • CVE-2023-49105Nov 21, 2023
    risk 0.07cvss epss 0.11

    An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted…

  • CVE-2014-2044Oct 6, 2014
    risk 0.04cvss epss 0.12

    Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS)…

  • CVE-2015-4716Oct 21, 2015
    risk 0.02cvss epss 0.25

    Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors.

  • CVE-2023-49104Nov 21, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the…

  • CVE-2022-31649Jun 9, 2022
    risk 0.00cvss epss 0.01

    ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.

  • CVE-2021-35946Sep 7, 2021
    risk 0.00cvss epss 0.01

    A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.

  • CVE-2021-29659May 20, 2021
    risk 0.00cvss epss 0.01

    ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a…

  • CVE-2020-36248Feb 19, 2021
    risk 0.00cvss epss 0.00

    The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.

  • CVE-2020-36250Feb 19, 2021
    risk 0.00cvss epss 0.00

    In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.

  • CVE-2020-10252Feb 19, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack.

  • CVE-2020-10254Feb 19, 2021
    risk 0.00cvss epss 0.02

    An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview.

  • CVE-2020-16255Jan 15, 2021
    risk 0.00cvss epss 0.01

    ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'

  • CVE-2013-0203Nov 22, 2019
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to…

Page 2 of 7